August 31, 2007

SELinux was originally a development project from the National Security Agency (NSA), Secure Computing corporation (SCC) and others. It is an implementation of SCC and others. It is an implementation of Flask Operating System security architecture. As a step in its evolution, SELinux was integrated into Linux kernel using the Linux Security Modules (LSM) framework. SELinux motivated the creation of LSM, at the suggestion of Linus Torvalds, who wanted a modular approach to security instead of just accepting SELinux into kernel. SELinux in now a standard component of RHEL and non-commercial distros like Fedora, Debian GNU/Linux, Gentoo Linux etc.

Introduction

In the world of Linux, SELinux is the new buzzword. Most OS use access controls to limit the access a user/process has on other parts of the system such as files, devices, sockets, ports and other processes (called objects in SELinux). The two main types are

SELinux supplements the traditional DAC mechanism of linux with MAC. Under SELinux, programs are run inside a sandbox and follow the principle of least privilege, in which programs are limited to set of necessary operations.

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is the standard mechanism for Linux security. Under DAC, all processes run with an associated user and group. That process has access to all files and directories that the user and group can access. Thus an errant process could destroy all files that belong to the user!

Under DAC, ownership of a file object provides potentially crippling or risky control over the object, A user can expose a file or directory to a security or confidentiality breach with a misconfigured chmod command and an unexpected propagation of access rights. A process started by that user, such as a CGI script, can do anything to the files owned by the user. A compromised apache HTTP server can perform any operation on file in the Apache group. Malicious or broken software can have root-level access to entire system, either by running as a root process or using setuid or setgid.

Mandatory Access Control (MAC)

Also called non-discretionary access control, this framework allows you to define permissions for how all processes (called subjects) interact with other objects. This is done through a security policy defined by administrator, over all processes and objects are controlled through the kernel, and security decisions are made or all available information rather than just the user identity. With this model , a process can be granted just the permissions needed to be functional. This follows the principle of least privilege. Under MAC, for example, users who have exposed their data using chmod are protected by the fact that their data is a kind only associated with user home directories, and confined processes cannot touch those files without permission and purpose written into the policy.

SELinux Architecture

SELinux adds another layer of access control permissions on top of standard file permission and ACLs, which are defined by the system security policy. Every object (files and other items) ad every subject security (process) has security context, with three attributes a User Identity , a role and a type. Collectively, these attributes limit the authority of the subject over the object, Typically , the security context is displayed as a colon-separated triplet in this format

user_identity:role:type

To view the security context information associated with obejects, you may use commands with Z option:

User Identity indicates the SELinux user account that is associated with a subject or object. SELinux user identities are different from UNIX identities. They are applied as a part of the security label and can be changed in real-time under limited conditions. SELinux uses it own database and mapping that associates SELinux user identities with Linux users. Role define a set of permissions a user can be granted. A user can reside only in a single role at any given time. Types or domains are primary security attributes used for making authorization decision.

The SELinux policy defined in /etc/selinux/targeted/policy/ controls these omportant aspects:

1. The particular roles that identities can use.

2. Which domains roles can enter

3. The type that domains can access

The SELinux policy is highly configurable. For RHEL 4, RedHat Supports a single policy targeted policy. Under this policy, every subject and object runs in unconfined_t domain except for the specific targeted daemons. The objects on the system that are in the unconfined_t domains are allowed by SELinux to have no restriction and fall back to using standard Linux security, which is DAC. This policy is flexible enough to fit into enterprise infrastructures, The daemons that are part of targeted policy run in their own domains and are restricted in every operations they can perform on the system. This way, daemons that are broken or exploited are limited in the damage that are broken or exploited are limited in the damage that they can do.

Controlling SELinux

The SELinux policy may be adjusted or diabled through a number of utilities. The easiest to use is the graphical system-config-securitylevel tool, which can turn SELinux off, set it to permissive mode, or set it to enforcing mode. It also allows the adjustments of Booleans which can fine tune the rules enforced by the policy.

When SELinux is enabled, there are two modes:

1. Permissive

2. Enforcing

Permissive mode is the warn only mode. That is, it allows all process access to the file system using standard DAC, but it will log all access violations that would have been there, if SELinux has been in the enforcing mode in /var/log/messages.

The Enforcing mode allows SELinux to control access to the system using MAC, and thus enforces the SELinux policy. These modes can be controlled dynamically using the setenforce command, and can be permemently set in the file /etc/sysconfig/selinux

Setenforce is a command-line tool that allows SELinux to the set enforcing mode or permissive mode. To completely disable SELinux, one must use system-config-securitylevel to pass selinux=0 on the kernel line, or in the /etc/sysconfig/selinux file.

The kernel option enforcing=0 can be passed through GRUB at the boot time to set SELinux in warn-only mode; enforcing=1 sets enforcing mode. The /selinux virtual file system is similar to /proc and /sys. It presets information about the state of SELinus in the kernel to user programs like the ones above. sestatus shows the actual SELinux settings.

The contexts of files can be changed using the chcon command. It has a reference option, which can be used to copy and apply the context from particular file.

Troubleshooting SELinux

SELinux policy violations are logged to /var/log/messages.

Reference:http://www.nsa.gov/selinuxhttp://www.redhat.com

Article Authored by Jomoz

Author, Jomoz, is a Systems Engineer with SupportPRO. Jomos specializes in Cpanel, Linux and Windows servers. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.